Identity-and-Access-Management-Architect Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Questions and Answers

 OAuth refresh token flow and OAuth JWT bearer token flow are the recommended best practices for using OAuth flows inthis scenario. These flows are suitable for server-to-server integration scenarios where the client application needs to access Salesforce resources on behalf of a user. The OAuth refresh token flow allows the client application to obtain a long-lived refresh token that can be used to request new access tokens without requiring user interaction. The OAuth JWT bearer token flow allows the client application to use a JSON Web Token (JWT) to assert its identity and request an access token. Both flows providea secure and efficient way to integrate with Salesforce and the reward calculation system. OAuth SAML bearer assertion flow is not a recommended best practice for using OAuth flows in this scenario because it requires the client application to obtain a SAML assertion from an identity provider, which adds an extra layer of complexity and dependency. OAuth username-password flow is not a recommended best practice for using OAuth flows in this scenario because it requires the client application to store the user’s credentials, which poses a security risk and does not support two-factor authentication. References: : [Which OAuth Flow to Use] : [Digging Deeper into OAuth 2.0 on Force.com] : [OAuth 2.0 JWT Bearer Token Flow] : [OAuth 2.0 SAML Bearer Assertion Flow] : [OAuth 2.0 Username-Password Flow]

 The two issues outside of the Salesforce SSO settings that are most likely contributing to the SSO errors are the clock on the identity provider server being twenty minutes behind Salesforce and the issuer certificate from the identity provider expiring two weeks ago. These issues can cause SAML assertionerrors, which prevent the user from logging in with SSO. A SAML assertion is an XML document that contains information about the user’s identity and attributes, and it is signed by the identity provider and sent to Salesforce as part of the SSO process4. If the clock on the identity provider server is not synchronized with Salesforce, the SAML assertion may be rejected as invalid or expired, as it has a timelimit for validity5. If the issuer certificate from the identityprovider isexpired, the SAML assertion may not be verified by Salesforce, as it relies on the certificate to validate the signature6. The other options are not likelyissues that cause SSO errors. The identity provider being used to SSO into five otherapplications does not affect itsability to SSO into Salesforce, as long as it supports multiple service providers and has a separate configuration for each one7. The default language for the identity provider and Salesforce being different does not affect the SSO process, as it does not impact the SAML assertion or its validation.

The three differentattributes that can be used to identify the user in a SAML assertion when Salesforce is acting as a Service Provider are Federation ID, User Email Address, and Salesforce Username. According to the Salesforce documentation, “Salesforce supports three attributes for identifying users in a SAML assertion: Federation ID, User Email Address, and Salesforce Username.” Therefore, option A, D, and E are the correct answers.

The most likely cause of the issue is that the refresh token expiration policy is set incorrectly in Salesforce. A refresh token is a credential that allows a connected app to obtain a new access token when theprevious one expires1. The refresh token expiration policy determines how long a refresh token is valid for2. If the policy is set to a short duration, such as 24 hours, the users have to enter their credentials once a day to get a new refresh token. To prevent this, thepolicy should be set to a longer duration, such as “Refresh token is valid until revoked” or "Refresh token expires after 90 days of inactivity"2.

To enable a trusted connection between the login services and Salesforce, UC should enforce mutual authentication between systems using SSL. Mutual authentication is a process in which both parties in a communication verify each other’s identity using certificates7. SSL (Secure Sockets Layer) is a protocol that provides secure communication over the Internet using encryption and certificates8. By using mutual authentication with SSL, UC can ensure that only authorized login services can access Salesforce and vice versa. This can prevent unauthorized access, impersonation, or phishing attacks.

 To meet the requirement of having active community users review andaccept the community rules and update key contact information before their annual partner event, the identity architect should create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information. A login flow is a custom post-authentication process that can be used to add additional screens or logic after a user logs in to Salesforce. By creating a login flow, the identity architect can check the user’s status and information and display the appropriate screens for them to review and accept the community rules and update their contact information. References: Login Flows, Create a Login Flow

To broker authentication fromits enterprise SSO solution through Salesforce to third party applications using SAML, Salesforce Identity plays the role of a Service Provider (SP). A SP is an entity that relies on an Identity Provider (IdP) to authenticate and authorize users. In thisscenario, the enterprise SSO solution is the IdP, Salesforce is the SP, and the third party applications are the Resource Servers or Client Applications. The SP receives a SAML assertion from the IdP and uses it to obtain an access token from the ResourceServer or Client Application. References: SAML Single Sign-On Settings, Authorize Apps with OAuth

 To authenticate and authorize Salesforce users with AWS, the identity architect should configure AWS as an OpenID Connect Provider. OpenID Connect is a protocol that allows users to sign in with an external identity provider, such as AWS, and access Salesforce resources. To enable this, the identity architect needs to configure an OpenID Connect Authentication Provider in Salesforce and link it to a connected app. The other options are not relevant for this scenario. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect

 To allow agents to access the Canvas appwithout needing to log in to the pricing application, the identity architect should consider two options:

Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized. A connected app is a framework that enables an externalapplication to integrate with Salesforce using APIs and standard protocols. A Canvas app is a type of connected app that allows an external application to be embedded within Salesforce. By setting Admin-approved users as pre-authorized, the identity architect can control which users can access the Canvas app by assigning profiles or permission sets to the connected app.

Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated. SAML is aprotocol that allows users to authenticate and authorize with an external identity provider and access Salesforce resources. By enabling SAML in the connected app, the identity architect can use Salesforce as a service provider (SP) and the pricing application as an identity provider (IdP) for single sign-on (SSO). By setting SAML Initiation Method as Service Provider Initiated, the identity architect can initiate the SSO process from Salesforce and send a SAML request to the pricing application. References: Connected Apps, Canvas Apps, SAML Single Sign-On Settings

 Experience Builder and Community Administration settings are the tools that allow branding the login and registration pages in Experience Cloud. Custom pages are not necessary for this use case. References: Architect Journey: Identity and Access Management Trailmix - Trailhead

The underlying mechanisms that the UC Architect must ensure are part of the product are Just-in-Time (JIT) provisioning and deprovisioning. JIT provisioningis a process that creates or updates user accounts in Salesforce when users log in with SAML single sign-on (SSO)6. JIT deprovisioning is a process that disables or deletes user accounts in Salesforce when users are removed from the identity provider (IdP). Both of these processes enable automated provisioning and deprovisioning of users without requiring manual intervention or synchronization. The other options are not valid mechanisms for provisioning and deprovisioning. SOAP API is an application programming interface that allows developers to create, retrieve, update, or delete records in Salesforce. However, SOAP API does not support JIT provisioning ordeprovisioning, and requires custom code to implement. Provisioning API is not a standard term for Salesforce, and there is no such API that supports both provisioning and deprovisioning.

 The sidebar of a Salesforce Console as a console component and included in the Call Control Tool that’s part of Open CTI are two options that are correct in regards to where the app can be made visible under the connected app settings for the Canvas app. A Canvas app is an external application that can be embedded within Salesforce using an iframe. A connected app is an application that integrates with Salesforceusing APIs and uses OAuth as the authentication protocol. You can control where a Canvas app can be displayed in Salesforce by configuring the locations in the connected app settings. The sidebar of a Salesforce Console as a console component is a valid location for a Canvas app because it allows you to display the app as a collapsible panel on the side of any console app. Included in the Call Control Tool that’s part of Open CTI is a valid location for a Canvas app because it allows you to display the appas part of the softphone panel that integrates with your telephony system. As part of the body of a Salesforce Knowledge article is not a valid location for a Canvas app because it is not supported by the connected app settings. In the mobile navigation menu on Salesforce for Android is not a valid location for a Canvas app because it is not supported by the connected app settings. References: : [Canvas Developer Guide] : [Connected Apps Overview] : [Add or Remove Components from Your Console Apps] : [OpenCTI Developer Guide]

The Experience ID isa unique identifier for each Experience Cloud site that can be used to customize the branding and user interface based on the OAuth/Open ID or SAML flows. The Experience ID can be passed as a URL parameter to Salesforce to determine which site the user isaccessing. References: Experience ID, Customize Your Experience Cloud Site Login Process

To allow employees to collaborate in a single Salesforce org, yet authenticate to the appropriate IdP, the identity architect should enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on the appropriate IdP button. MyDomain is a feature that allows administrators to customize the Salesforce login URL with a unique domain name. Authentication Service is a setting that allows administrators to enable different authentication options for users, such as social sign-on or single sign-on with an external IdP. By enabling each IdP as a login option in the MyDomain Authentication Service settings, the identity architect can provide a user-friendly and secure way for employees to log in to Salesforce using their preferred IdP. References: MyDomain, Authentication Service

Dynamic branding is a feature that allows Experience Cloud sites to display differentbranding elements, such as logos, colors, or images, based on the user’s profile or preferences. To use dynamic branding, the community must be built with the Customer Account Portal template, which supports this feature. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand and trigger the dynamic branding logic.

According to the Salesforce documentation2, OAuth2 RPs (relying parties) are applications that use OAuth 2.0 for authentication and authorization with an external identity provider. This allows users to log in to multiple applications with a single identity provider account. Theidentity provider issues an access token to the relying party, which can be used to access protected resources on behalf of the user. This solution can support high volumes of logins per minute and unify multiple B2C Commerce sites and an Experience Cloud community with a single identity. 

 To set up SSO for a selected group of users to access external applications from Salesforce through App Launcher, UC must complete the following steps in Salesforce:

Associate user profiles with theconnected apps. A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect3. To access a connected app, usersmust have the appropriate permissions assigned to them, either through their profile or a permission set4. UC can associate user profiles with the connected apps to control which users can access which apps.

Complete My Domain and identity provider setup. My Domain isa feature that lets UC create a custom domain name for their Salesforce org. It is required for setting up SSO with external identity providers. An identity provider is a trusted system that authenticates users for other service providers. UC must set up an identity provider that supports SSO protocols such as SAML or OpenID Connect and configure it to communicate with Salesforce.

Create connected apps for the external applications. UC must create connected apps for each external application that they wantto access from Salesforce through App Launcher. A connected app defines the attributes of the external application, such as its name, logo, description, and callback URL4. It also specifies the SSO protocol and settings thatare used to authenticate users and grant access tokens4.

The refresh token is used to obtain a new access token when the previous one expires. To revoke the user session, the logout function should invoke the revocation URL and pass the refresh token as a parameter. This will invalidate both the refresh token and the access token, and prevent the user from accessing Salesforce without logging in again2.

Enabling “Allow customers and partners to self-register” allows guests to create their own user accounts in the portal. Selecting the “Configurable Self-Reg Page” option allows the administratorto customize the self-registration page to capture the required fields. Customizing the self-registration Apex handler to create only the user record prevents the automatic creation of a contact record until verification. References: Enable Self-Registration, Customize Self-Registration

To use SAML SSO for accessing the Salesforce1 mobile app, the architect should recommend configuring the embedded web browser to use the My Domain URL and configuring the Salesforce1 app to use the My Domain URL4. Using the My Domain URL allows Salesforce to identify the identityprovider and initiate the SSO process5. Using the existing SAML SSO flow along with user agent flow or web server flow is not necessary because SalesforceMobile Applications only work with service provider initiated setups46. Therefore, option B and D are the correct answers.

It federates credentials control to authorized applications. Thismeans that users can access multiple applications across different domains or organizations using one set of credentials, without having to share their passwords with each application1. The applications rely on a trusted identity provider (IdP) to authenticate the users and grant them access.

It establishes trust between Identity store and service provider. This means that the IdP and the service provider (SP) have a mutual agreement to exchange identity information using standard protocols, such as SAML, OpenIDConnect, or OAuth2. The IdP and the SP also share metadata and certificates to ensure secure communication and verification.

It improves affiliated applications adoption rates. This means that users are more likely to use applications that are connected to their existing identity provider, as they do not have to create or remember multiplepasswords3. This also reduces the friction and frustration of logging in to different applications, and enhances the user experience.

The other options are notfeatures of federated single sign-on solutions because:

It solves all identity and access management problems. This is false, as federated single sign-on solutions only address the authentication aspect of identity and access management, not the authorization, provisioning, governance, or auditing aspects. Federated single sign-on solutions also have some challenges, such as complexity, interoperability, and security risks.

It enables quick and easy provisioning and deactivating of users. This is not necessarily true, as federated single sign-on solutions do not automatically create or delete user accounts in the service provider applications. Users still need to be provisioned and deprovisioned manually or through other mechanisms, such as just-in-time provisioning or SCIM.

To allow customers to login using Facebook, Google, and other social sign-on providers, the identity architect should configure an authentication provider and a registration handler for each social sign-on provider. Authentication providersare configurations that enable users to authenticate with an external identity provider and access Salesforce resources. OpenID Connect is a protocol that allows users to sign in with an external identity provider, such as Facebook or Google, and access Salesforce resources. To enable this, the identity architect needs to configure an OpenID Connect Authentication Provider in Salesforce and link it to aconnected app. A registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider. The registration handler can also be used to link the user’s social identity with their Salesforce identity and prevent duplicate accounts.References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect, Create a Custom Registration Handler

My Domain is a feature that allows you to personalize your Salesforce org with a subdomain within the Salesforcedomain. For example, instead of using a generic URL like https://na30.salesforce.com, you can use a custom URL like https://somethingReallycool.my.salesforce.com10. My Domain should be enabled in Salesforce as a prerequisite for the following reasons:

My Domain lets you work in multiple Salesforce orgs in the samebrowser. Without My Domain, you can only log in to one org at a time in the same browser.

My Domain lets you set up single sign-on (SSO) with third-party identity providers (IdPs). SSO is an authentication method that allows users to access multiple applications with one login and one set of credentials. With My Domain and SSO, users can log in to Salesforce using their corporate credentials or social accounts.

My Domain lets you customize your login page with your brand. You can add your logo, background image, right-frame content, and authentication service buttons to your login page.

Login Discovery allows the administrator to configure a custom login page that collects additional information from users, such as phone number, and use it for identity verification. Login Discovery can also be used to route users to different identity providers based on their input. References: Login Discovery, Customize Your Experience Cloud Site Login Process

The web service that is used for delegated authentication should be secured with TLS using Salesforce trusted certificates4. This ensures that the communication between Salesforce and the external authentication method is encrypted and authenticated. The other options are not relevant for designing a delegated authentication implementation. The web service does not need to accept one to four inputmethod parameters, as it can accept any number ofparameters as long as they are wrapped in a SOAP envelope5. The web service does not need to use the Salesforce Federation ID to identify the user, as it can use any identifier that is unique and consistent across systems6. The web service does not need to implement acustom password decryption method, as it can use any encryption or hashing algorithm that is supported by both systems7. References: Delegated Authentication, Enable ‘Delegated Authentication’, Delegated Authentication Flow in Salesforce, FAQs for Delegated Authentication

 Login Discovery Page and Embedded Login Page are two valid login page types for Experience Cloud sites. Login Discovery Page allows users to choose their preferred login method, such as username/password, SSO, or social sign-on. Embedded Login Page allows users to log in from any site page without being redirected to a separate login page. References: Login Discovery Page, Embedded Login

Just-in-time provisioning is a feature thatallows Salesforce to create user accounts automatically when users log in for the first time via an external identity provider. This way, UC can avoid creating user records manually or synchronizing them with another system. On-the-fly provisioning is nota valid term in Salesforce. Salesforce APIs can be used to create users programmatically, but they are not related to SSO. Identity Connect is a tool that can sync users between Salesforce and Active Directory, but it is not required for SSO. References: Certification - Identity and Access Management Architect - Trailhead, [Just-in-Time Provisioning for SAML and OpenID Connect]

To register and authenticate new customers on the website using Salesforce Identity, the identity architect should use Delegated Authentication and Embedded Login. Delegated Authentication is a feature that allows Salesforce to delegate the authentication process to an external service, such as a custom website, instead of validating the username and password internally. Embedded Login is a featurethat allows Salesforce to embed a login widget into any web page, such as a custom website, to enable users to log in with their Salesforce credentials. The other options are not relevant for this scenario. References: Delegated Authentication, Embedded Login

Using the identity provider’s certificate to digitally sign and encrypt the payload, and usinga custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion are two methods that can ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit. Option A is not a good choice because using Salesforce’s certificate to encrypt the payload may not work, as Salesforce does not support encrypted SAML assertions. Option B is not a good choice because using Salesforce’s certificate to digitally sign the SAML assertionmay not be necessary, as Salesforce does not validate digital signatures on SAML assertions. Also, using a mobile device management client on the users’ mobile devices may not be relevant, as it does not affect how the sensitive data is transmitted between the identity provider and Salesforce.

The optimal way to implement SSO with Active Directory as the enterprise identity store is to use Salesforce Identity Connect as the identity provider. Salesforce Identity Connect is a software that integrates Microsoft Active Directory with Salesforce and enables single sign-on (SSO) using SAML. It also allows user data synchronization between Active Directory and Salesforce and profile and permission set assignment based on Active Directory group membership. Option A is not a good choice because using Active Directory with reverse proxy as the identity provider may not be supported by Salesforce or may require additional configuration and customization. Option B is not a good choice because using Microsoft Access Control Service as the authentication provider may not be available, as Microsoft has retired this service in 2018. Option C is not a good choice because using Active Directory Federation Service (ADFS) as the identity provider may not allow user data synchronization or profile andpermission set assignment based on Active Directory group membership, unless it is combined with another tool such as Salesforce Identity Connect.

The best option for UC’s architect to enable the behavior of using a single identity provider to access all of their Salesforce orgs is to ensure that users have the same Federation ID value in their user records in all of UC’s Salesforce orgs. The Federation ID is a field on the user object that stores a unique identifier for each user that is consistent across multiple systems. The Federation ID is used by Salesforce to match the user with the SAML assertion that is sent by the identity provider during the single sign-on (SSO) process. By ensuring that users have the same Federation ID value in all of their Salesforce orgs, UC can enable users to log in with the same identity provider and credentials across multiple orgs. The other options are not valid ways to enable this behavior. Ensuring that users have the same email value in their user records in all of UC’s Salesforce orgs does not guarantee that they can log in with SSO, as email is not used as a unique identifier by Salesforce. Ensuring the same username is allowed in multiple orgs by contacting Salesforce support is not possible, as username must be unique across all Salesforce orgs. Ensuring that users have the same alias value in their user records in all of UC’s Salesforce orgs does not affect the SSO process, as alias is not used as a unique identifier by Salesforce. References: [Federation ID], [SAML SSOwith Salesforce as the Service Provider], [Username], [Alias]

The two capabilities of an identity provider that the architect should detail to help strengthen the business case are that the identity provider can authenticate multiple applications and that the identity provider can centralize enterprise password policy. These capabilities can provide benefits such as reducing login friction, improving user experience, enhancing security, and simplifying administration. Option B is not a good choice because the identity provider can authenticate multiple social media accounts may not be relevant for UC’s business case, as it does not specify how UC will use social media for its identity management. Option C is not a good choice because the identity provider can store credentials for multiple applications may not be desirable or secure for UC’s business case, as it may imply that theidentity provider is using password vaulting or federation rather than single sign-on (SSO) or identity federation. References: Identity Management Concepts, [Single Sign-On Implementation Guide]

External Identity Licenses are required to enable external users to access Salesforceresources via a CIAM solution. Email Verification Credits and SMS Verification Credits are required to enable email or mobile phone number verification for user authentication. Identity Connect Licenses are not required for this scenario, as Identity Connect is a tool for synchronizing user data between Salesforce and Active Directory. References: External Identity Implementation Guide, Identity Connect Implementation Guide

OAuth 2.0 is an open standard for authorization that allows a third-party application to obtain limited access to a protected resource on behalf of auser. To authorize a third-party service using OAuth 2.0 with the Salesforce Experience Cloud site, the identity architect should do the following steps:

Create a connected app for the third-party service in Salesforce. A connected app is an applicationthat integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. To create a connected app, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need toenable OAuth and configure the OAuth settings, such as the callback URL, the scopes, and the policies.

Authorize the third-party service by sending authorization requests to the community-url/services/oauth2/authorize/expid_value. This is a special endpoint that allows you to specify an experience ID (expid) as a query parameter in the authorization request. The experience ID is a unique identifier for each experience (community or site) in Salesforce. By using this endpoint, you can dynamically render thelogin page images based on the user’s brand preference selected in the third-party service before authorization.

The recommended way to configure the IdP for seamless access is to use IdP-initiated SSO that passes the SAML token upon Salesforce resource accessrequest. This means that the user logs in to the corporate portal first, and then clicks a link to access a Salesforce resource. The IdP sends a SAML response to Salesforce with the user’s identity and other attributes. Salesforce verifies the SAML response and logs in the user to the appropriate Salesforce org and community12. This way, the user does not have to log in again to Salesforce or enter any credentials3. References: 1: SAML SSO with Salesforce as the Service Provider 2: Set Up Single Sign-On for Your Internal Users Unit | Salesforce - Trailhead 3: What is IdP-Initiated Single Sign-On? – OneLogin

The best way to meet the requirements of UC isto implement Just-In-Time Provisioning on the mainframe to create the user on the fly. According to the Salesforce documentation, “Just-in-time provisioning lets you create or update user accounts on the fly when users log in to Salesforce using single sign-on (SSO).” This way, UC can authenticate users to Salesforce using their mainframe credentials and also create or update their user accounts in Salesforce without using a SAML provider. Therefore, option C is the correct answer.

To allow customers to log in to the communitywith any of their social identities, such as Facebook, Google, or Twitter, the identity architect needs to use authentication providers for social sign-on. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. To ensure that Salesforce has only one user per customer, regardless of how many social identities they have, the identity architect needs to use the custom registration handler to link social identities to Salesforce identities. The custom registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider. The custom registration handler can also be used to insert or update personal details of the customers when they log in to Salesforce using their social identity. References: Authentication Providers, Social Sign-On with Authentication Providers, Create a Custom Registration Handler

 The redirect_uri parameter is used to specify the URL that the user should be redirected to after OAuth authorization1. The redirect_uri should match the onethat was registered with the OAuth client application2. By using the redirect_uri parameter, the user can be redirected to the original requested page instead of the Ideas home page.

The type of single sign-on that UC is using is SP-initiated, which means that the service provider (Salesforce) initiates the SSO process by sending a SAML request to the identity provider (PingFederate) when the user navigates to the My Domain URL3. Therefore, option A is the correct answer. References: SAML SSO with Salesforce as the Service Provider

To meet the requirements of using a central cloud-basedIAM service for authentication and user management, the IAM architect should implement Salesforce Sales Cloud as a SAML service provider and enable SCIM for provisioning and deprovisioning of users. SAML is a protocol that allows users to authenticate andauthorize with an external identity provider and access Salesforce resources. By configuring Salesforce as a SAML service provider, the IAM architect can use the central IAM service as an identity provider and enable single sign-on for users. SCIM is a standard that defines how to manage user identities across different systems. By enabling SCIM in Salesforce, the IAM architect can synchronize user data between the central IAM service and Salesforce and automate user provisioning and deprovisioning based onthe changes made in the central IAM service. References: SAML Single Sign-On Settings, SCIM User Provisioning for Connected Apps

Use a custom connected app handler using Apex to dynamically allow access to the system based on whether the staff owns any open “classified” cases is the recommended solution for this scenario. A custom connected app handler is an Apex class that implements the ConnectedAppPlugin interface and can customize the behavior of a connected app. The custom handler can support new protocols or respondto user attributes in a way that benefits a business process. In this case, the custom handler can query the user’s open “classified” cases and grant or deny access to the classified information system accordingly. Use Apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open “classified” case, and remove it when the case is closed is not a good solution, as permission sets are not related to SSO and cannot control access to external systems. Use custom SAML JIT provisioning to dynamicallyquery the user’s open “classified” cases when attempting to access the classified information system is not feasible, as JIT provisioning is used to create or update user records in Salesforce, not in external systems. Use Salesforce reports to identify users that currently own open “classified” cases and should be granted access to the classified information system is not an automated solution, as it requires manual intervention and does not leverage SSO.

The two options that an architect should recommend to UC are to build a custom web service that is supported by delegated authentication and to implement the OpenID protocol and configure an authentication provider. Delegated authentication is a feature that allows Salesforce to delegate user authentication to an external service instead of using Salesforce credentials3. A custom web service can be built to use the credentials stored in the custom identity store and validate them against Salesforce using SOAP or REST API3. OpenID is an open standard protocol that allows users to authenticate with various web services using an existing account4. An authentication provider can be configured in Salesforce to use OpenID and connect with the custom identity store5.

The best OAuth flow for this scenario is the web server flow. The web server flow is an OAuth authorization flow that allows a web application, such as UC’s employee portal, to obtain an access token and a refresh token from Salesforce after the user grants permission. The web application can then use the access token to access Salesforce data and features, such as posting ideas, and use the refresh token to obtain a newaccess token when the previous one expires or becomes invalid. This flow is suitable for UC’s scenario because it allows users to be redirected to Salesforce, authenticated, and presented with the relevant pages when they click on some of the links in theemployee portal. This flow also provides a secure and seamless user experience by using a confidential client secret that is stored on the web server and not exposed to the browser.

The other options are not valid OAuth flows for this scenario. The web application flow is not a standard term for OAuth, but it could refer to the user-agent flow, which is an OAuth authorization flow that allows a browser or web-view, such as a mobile app or a desktop app, to obtain an access token from Salesforce by using a script or a pop-up window. This flow is not suitable for UC’s scenario, as it does not use a web server or a client secret, and it does not provide a refresh token. The SAML bearer assertion flow is an OAuth authorization flow that allows an external application to obtain an access token from Salesforce by using a SAML assertion from an identity provider (IdP) that verifies the user’s identity. This flow is not suitable for UC’s scenario, as it does not involve user interaction or redirection to Salesforce.The user-agent flow is an OAuth authorization flow that allows a browser or web-view, such as a mobile app or a desktop app, to obtain an access token from Salesforce by using a script or a pop-up window. This flow is not suitable for UC’s scenario, as itdoes not use a web server or a client secret, and it does not provide a refresh token. References: [OAuth Authorization Flows], [OAuth 2.0 Web Server Flow for Web App Integration], [OAuth 2.0 User-Agent Flow for Desktop Apps], [OAuth 2.0 SAML Bearer Assertion Flow for Server-to-Server Integration]

The two options that an architect should recommend for UC to roll out the Salesforce1 mobile app and make it accessible from any location are:

Relax the IP restriction with a second factor in the Connected App settings for Salesforce1 mobile app. This option allows UC to enable two-factor authentication (2FA) for the Salesforce1 mobile app, which requires users to verify their identity with a second factor, such asa verification code or a mobile app, after entering their username and password. By enabling 2FA in the Connected App settings, UC can relax the IP restriction for the Salesforce1 mobile app, as users can access it from any location as long as they providethe second factor.

Relax the IP restrictions in the Connected App settings for the Salesforce1 mobile app. This option allows UC to disable or modify the IP restriction for the Salesforce1 mobile app in the Connected App settings, which control how userscan access a connected app, such as Salesforce1. By relaxing the IP restrictions, UC can allow users to access the Salesforce1 mobile app from any location without requiring 2FA.

The other options are not recommended for this scenario. Removing existing restrictions on IP ranges for all types of user access would compromise security and compliance, as it would expose Salesforce to unauthorized access from any location. Using Login Flow to bypass IP range restriction for the mobile app would require custom code and logic, which could introduce complexity and errors. References: [Connected Apps], [Two-Factor Authentication], [Require a Second Factor of Authentication for Connected Apps], [IP Restrictions for Connected Apps], [Login Flows]

 Using SAML Federated Authentication, treating SAML sessions as high assurance, and raising the session level required for exporting reports is the solution that should be recommended. This solution ensures that users can only export reports when they log in using AD credentials, which provide a high level of identity verification. Users who log in using Salesforce credentials, which provide a standard level of security, can still view reports but not export them. To implement this solution, you need to configure SAML Federated Authentication withAD as the identity provider4, set the session security level for SAML assertions to high assurance5, and require high-assurance session security for exporting reports1. This solution also avoids the complexity and overhead of creating and managing custom permission sets or login flows.

 Using information in the signed request that is received from Facebook is how this requirement can be met. A signed request is a parameter that contains information about the user who is logging in with Facebook credentials. The signed request can include information such as the user ID, name, email, and profile picture. You can use this information to update the corresponding customer community user in Salesforce by implementing a registration handler class. The registration handler class is an Apex class that defines how Salesforce handles user registrationand authentication when using an auth provider. You can use the updateUser() method in the registration handler class to update the user record with the information from the signed request. Using the updateUser() method on the registration handler class isnot how this requirement can be met because it is only part of the solution. You also need to use information from the signed request as the source of the updates. Using SAML just-in-time provisioning between Facebook and Salesforce is not how this requirement can be met because Facebook does not support SAML as an identity provider protocol. Developing a scheduled job that calls out to Facebook on a nightly basis is not how this requirement can be met because it is inefficient and unnecessary. You can update the user record in real time using the signed request instead of waiting for a nightly batch process.

To prevent unauthorized form submissions during the self-registration process, UC should require a captcha at the end of the self-registration process and use hidden fields populated via JavaScript events in the self-registration page. These methods will help to verify that the user is a human and not a bot, and also to validate the user’s input against some predefined values. Option A is not a good choice because open-ended security questions and complex password requirements may frustrate the user and reduce the conversion rate. Option B is not a good choice because lookup and picklist fields may not prevent bots from submitting the form, as they can be easily automated or bypassed.

The first thing that the architect at UC should investigate is the refresh token policy defined in the Salesforce connected app. A refresh token is a credential that allows an application to obtain new access tokens without requiring the user to re-authenticate. The refresh token policy determines how long a refresh token is valid and under what conditions it can be revoked. If the refresh token policy is set to expire after a certain period of time or after a change in IP address or device ID, then the users may have to re-authenticate after using the app for a while or from a different location or device. Option B is not a good choice because validating that the users are checking the box to remember their passwords may not be relevant, as the app uses SSO with a third-party identity provider and does not rely on Salesforce credentials. Option C is not a good choice because verifying that the callback URL is correctly pointing to the new URI scheme may not be necessary, as the callback URL is used for redirecting the user back to the app after authentication, but it does not affect how long the user can stay authenticated. Option D is not a good choice because confirming that the access token’s time-to-live policyhas been set appropriately may not be effective, as the access token’s time-to-live policy determines how long an access token is valid before it needs to be refreshed by a refresh token, but it does not affect how long a refresh token is valid or when itcan be revoked. References: [Connected Apps Developer Guide], [Digging Deeper into OAuth 2.0 on Force.com]

Adding the employee portal’s IP address to the trusted IP range for the connected app is the best way to restrict the connection to Salesforce only to the employee portal server. This will ensure that only requests from the specified IP range will be accepted by Salesforce for that connected app. Option B is not a good choice because using a digital certificate signed by the employee portal server may not be supported by Salesforce for OAuth username-password flow. Option C is not a good choice because adding the employee portal’s IP address to the login IP range on the user profile may not be sufficient, as it will still allow other users with the same profile to log in from that IP range. Option D is not a good choice because using a dedicated profile for the user that the employee portal uses may not be effective, as it will still allow other users with that profile to log in from any IP address. References: [Connected Apps], [OAuth 2.0 Username-Password Flow]

Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials4. There are two types of SSO flows thatcan be used with Salesforce as the service provider (SP) and an external identity provider(IdP)5:

Service-provider-initiated SSO: The user requests a resource from the SP, such as a Salesforce URL. The SP redirects the user to the IdP for authentication. The IdP authenticates the user and sends a SAML response to the SP. The SP validates the SAML response and grants access to the user5. This type of SSO flowsupports deep linking, which means that the user can access a specific page within Salesforce without logging in again6.

Identity-provider-initiated SSO: The user logs in to the IdP and selects an app from a list of available apps. The IdP sends a SAML response to the SP. The SP validates the SAML response and grants access to the user5. This type of SSO flow does not support deep linking, which means that the user can only access the default landing page of Salesforce6.

A Canvas app is a web application that can be embedded within Salesforce and access Salesforce data using the signed request authentication method. This method allows the Canvas app to receive a signed request that contains the context and OAuth token when it is loaded. The Canvas app can use the SDK to request a new or refreshed signed request on demand2. This way, the users do not need to re-authenticate when accessing the web application from Salesforce. References: Requesting a Signed Request, SAML SingleSign-On for Canvas Apps, Mastering Salesforce Canvas Apps

These are two capabilities that My Domain enables in the context of a SAML SSO configuration. My Domain is a feature that lets you customize your Salesforce domain name and login page1. Resource deep linking is the ability to access a specific page or resource within Salesforce directly from a link, without having to navigate through the app2. SSO from Salesforce Mobile App is the ability to log in to the Salesforce Mobile App using your SSO credentials, without having to enter your username and password3. My Domain enables these capabilities by allowing you to specify your identity provider (IdP) and SSO settings for your unique domain name, and by providing a custom login URL that can be used for deep linking and mobile app login1. The other options are notcorrect for this question because:

App Launcher is a feature that lets you access all your connected apps from one place in Salesforce. It does not require My Domain or SAML SSO to work, although it can be enhanced by using them.

Login Forensics is a feature that analyzes login behavior and identifies anomalous or suspicious logins. It does not require My Domain or SAML SSO to work, although it can be used with them. References: MyDomain, Deep Linking into Salesforce, Salesforce Mobile AppBasics, [App Launcher], [Login Forensics]

To track information about devices from which users log in and revoke the device access, the identity architect should use the Activations feature. Activations are records that store information about the devices and browsers that users use to access Salesforce. Administrators can view, manage, and revoke activations for users from the Setup menu. Activations can help monitor and control user access from different devices. References: Activations, Manage Activations for Your Users

Salesforce Canvas is a tool that allows external applications to be embedded into Salesforce as iframes, which can provide a seamless user experience. App Launcher is a feature that allows users to access connected apps from a single location in Salesforce. To enable single sign-on anduse Salesforce as the identity provider, the external billing application needs to be configured as a connected app and use an OAuth 2.0 or SAML protocol. Identity Connect is not relevant for this scenario, as it is a tool for synchronizing user data between Salesforce and Active Directory. References: Salesforce Canvas Developer Guide, App Launcher, Connected Apps

The best option for UC to ensure that changes in the Facebook profile are reflected onthe appropriate customer community user is to use the updateUser method on the registration handler class. A registration handler class is an Apex class that implements the Auth.RegistrationHandler interface and defines the logic for creating or updating auser account when a user logs in with an external authentication provider, such as Facebook. The updateUser method is a method in the registration handler class that takes a user ID and a JSON string as parameters and updates the user record with the information from the JSON string. This method can be used to update the user’s profile, email, name, or other attributes based on the changes in the Facebook profile. The other options are not optimal for this scenario. Developing a scheduled job that calls out to Facebook on a nightly basis would introduce a delay in updating the user information and require custom code and API integration. Using information in the signed request that is received from Facebook would only provide limited information about the user, such as name, email, and locale, and not reflect any changes made after the initial login. Using SAML Just-in-Time provisioning between Facebook and Salesforce would require UC to configure Facebook as a SAML identity provider, which is not supportedby Facebook. References: [Create a Registration Handler Class], [Auth.RegistrationHandler Interface], [Facebook Signed Request], [Facebook as SAML Identity Provider]

The Entity ID is the SAML SSO setting inSalesforce that provides the capability to differentiate Salesforce from other service providers. The Entity ID is a unique identifier for the service provider that is sent in the SAML request and response messages1. The identity provider uses the Entity ID to determine which service provider is requesting or receiving authentication information2. You can customize the Entity ID for your Salesforce org or Experience Cloud site in the SAML Single Sign-On Settings page3. References: 1: SAML SSO Flows 2: Federated Authentication Using SAML to Log in to Salesforce Org 3: Step 2: Create a SAML Single Sign-On Setting in Salesforce

Salesforce Identity Connect is a tool that synchronizes user data between Microsoft Active Directory and Salesforce. It allows automatic provisioning and deprovisioning of users in Salesforce based on the changes made in Active Directory. Therefore, Identity Connect plays the role of user management in the outlined requirements. References: Identity Connect Implementation Guide, Identity Connect Overview

To implement social sign-on for customers to register and log in to a portal built on Salesforce Experience Cloud using their Facebook or LinkedIn credentials, the identity architect should take three steps:

Create authentication providers for both Facebook and LinkedIn. Authentication providers are configurations that enable users to authenticatewith an external identity provider and access Salesforce resources. Salesforce provides predefined authentication providers for some common identity providers, such as Facebook and LinkedIn, which can be easily configured with minimal customization.

Check“Facebook” and “LinkedIn” under Login Page Setup. Login Page Setup is a setting that allows administrators to customize the login page for Experience Cloud sites. By checking “Facebook” and “LinkedIn”, the identity architect can enable social sign-on buttons for these identity providers on the login page.

Update the default registration handlers to create and update users. Registration handlers are classes that implement the Auth.RegistrationHandler interface and define how to create or update users in Salesforce based on the information from the external identity provider. The identity architect can update the default registration handlers to link the user’s social identity with their Salesforce identity and prevent duplicate accounts. References: Authentication Providers, Social Sign-On with Authentication Providers, Login Page Setup, Create a Custom Registration Handler

The OAuth 2.0 user-agent flow and the OAuth 2.0 web server flow are both suitable for building a custom mobile app that can access Salesforce data without prompting the user to log in again1. Both ofthese flows use a refresh token that can be used to obtain a new access token when the previous one expires2. The user-agent flow uses theCanvas JavaScript SDK to obtain an OAuth token by using the login function in the SDK2. The web server flow redirects the user to the Salesforce OAuth authorizationendpoint and then obtains an OAuth access token by making a POST request to the Salesforce OAuth token endpoint2. The mobile agent flow and the SAML assertion flow are not valid OAuth flows for Salesforce3.

The recommended approach for UC to expand the self-registration capabilities such that customers receive a different community experience based on the data they provide during the registration process is to modify the community pages to utilize specific fields on the user and contact records. This approach allows UC to customize the community pages based on the user’s profile, preferences, interests, or other attributes that are stored in the user or contact fields. For example, UC can use conditional visibility rules or audience criteria to display different components or content based on the user’s field values. This approach does not require any code or complex configuration, and it provides a flexible and personalized community experience for different customer segments. The other options are not recommended for this scenario. Creating an after-insert Apex trigger on the user object to assign specific custom permissionswould require UC to write code and manage custom permissions, which could increase maintenance and testing efforts. Creating separate login flows corresponding to the different community user personas would require UC to create multiple login pages and logic, which could increase complexity and confusion. Modifying the existing communities’ registration controller to assign different profiles would require UC to write code and manage multiple profiles, which could increase security and governance risks. References: [Customize Your Community Pages], [Set Component Visibility], [Create Custom Login Flows], [Customize Self-Registration]

The AMR field in the Login History shows the authentication methods usedat the IdP level, such as password, MFA, or SSO. Both OIDC and SAML are supported protocols for SSO, but the IdP must implement the AMRattribute and pass it to Salesforce. References: Secure YourUsers’ Identity, Salesforce Multi-Factor Authentication (MFA) and Single Sign-on (SSO)

Delegated Authentication will continue to work with a .NET service as long as it is wrapped in a web service that Salesforce canconsume1. Delegated Authentication will not work with REST services because it requires a SOAP-based web service23. Therefore, option C and D are the correct answers.

To ensure end users can only use single sign-on (SSO) to log in to Salesforce, two things should be done:

Enable My Domain and select “Prevent login from https://login.salesforce.com”. My Domain is a feature that allows administrators to customize the Salesforce login URL with a unique domain name. By preventing login from the standard login URL, administrators can enforce SSO and restrict users from logging in with their Salesforce credentials.

Assign user “is Single Sign-on Enabled” permission via profile or permission set. This permission allows users to log in to Salesforce using SSO. Users who do not have this permission will not be able to access Salesforce even if they have valid Salesforce credentials. References: My Domain, User Permissions for Single Sign-On

Configuring an Authentication Provider for LinkedIn Social Media Accounts allows UC to use LinkedIn as an external identity provider for its customer community. This means that customers can use their LinkedIn credentials to log in to the community without storing their credentials in Salesforce. Creating a Custom Apex Registration Handler allows UC to customize how new and existing users are handled when they log in with an external identity provider. This means that UC can control howuser records are created, updated, or matched when customers use their social media credentials to authenticate to the community. These two actions can meetthe requirement of UC to use social media credentials for its customer community. 

According to the Salesforce documentation1, OpenID Connect Token Introspection allows all OAuth connected apps to check the current state of an OAuth 2.0 access or refresh token. Theresource server or connected apps send the client app’s client ID and secret to the authorization server, initiating an OAuth authorization flow. As part of this flow, the authorization server validates, or introspects, the client app’s access token. If the access token is current and valid, the client app is granted access.

Allowing password reset using the API and using login flows are two possible ways to enable customers to set their own passwords in Experience Cloud. The other options are notrelevant for this requirement, as they do not address the password issue. References: Allow Password Reset Using the API, Use Login Flows to Allow Users to Reset Passwords in Experience Cloud Sites

 The most appropriate license types for GS regional leads and the GS capacity planners are:

Customer Community Plus license for GS regional leads. This license type allows external users, such as customers or partners, to access standard Salesforce objects, such as cases and dashboards, and custom objects in a community. This license type also supports role hierarchy, sharing rules, and reports. This license type is suitable for GS regional leads who need to report damage of goods using cases and access dashboards to track regional shipping KPIs.

External Identity license for GS capacity planners. This license type allows external users to access a limited set of standard Salesforce objects, such as contacts and documents, and custom objects in a community. This license type also supports identity features, such as single sign-on (SSO) and social sign-on. This license type is suitable for GS capacity planners who need to access the third-party cloud analytics tool using Salesforce as the identity provider.

The other options are not appropriate license types for this scenario. Customer Community license for GS capacity planners would not allow them to access the third-party cloud analytics tool using SSO, as this license type does not support identity features. Identity license for GS regionalleads would not allow them to access cases and dashboards in the community, as this license type does not support standard Salesforce objects. References: [Customer Community Plus Licenses], [External Identity Licenses], [Customer Community Licenses], [Identity Licenses]

User Provisioning for Connected Apps allows Salesforce to create, update, and deactivate users in an external service such as Google Workspace based on user and permission set assignments in Salesforce. References: User Provisioning for Connected Apps

These are the steps required to enable Salesforce as a SAML Identity Provider and use the App Launcher to access external applications. According to the Salesforce documentation1, you need to:

Enable Salesforce as a SAML Identity Provider with My Domain2.

Create aConnected App for each external application that you want to integrate with Salesforce3.

Add each Connected App to the App Launcher with a Start URL that points to the external application1.

Option B is incorrect because setting up an Auth Provider is not necessary for SAML SSO. Auth Providers are used for OAuth SSO, which isa different protocol4. Option D is incorrect because Identity Connect is a tool for synchronizing user data between Active Directory and Salesforce, which is not related to SSO or App Launcher5.